Is Australia’s “cybersecurity” really that bad?


blog News arrived this week of another national thinktank releasing a report warning Australia of the dangers of not paying attention to the “cybersecurity” situation in the new millennium. The Australian newspaper has got its hands on a report by the Kokoda Foundation a month ahead of the report’s launch (and no, they won’t give it to us as well, we asked this morning), which reportedly states:

“A large part of the Australian population does not comprehend the scale of the growing cyber threat, nor the potential impact of that threat on personal and national wellbeing … That lack of understanding, and therefore commitment to addressing that threat, is a fundamental weakness in the individual and collective security of Australians.”

Now I’m in two minds about these sorts of reports.

Firstly, there is no doubt that yes, as each and every piece of critical Australian infrastructure eventually gets connected to IP-based networks (and therefore, usually ultimately the internet, firewalls notwithstanding), that infrastructure becomes more vulnerable to attack. And, if you examine previous audits of government infrastructure, you will find that the Australian public sector is full of IT security holes.

However, can anyone be in any doubt, that when you interview a bunch of “cybersecurity experts” for a report like this, that they will conclude in those interviews that the threat is growing, and that the nation needs to throw more money at the area? Apart from the fact that making such statements would be self-serving, it’s important to understand that experts always see things through the lens of their own expertise.

As anyone who works in security will tell you, securing infrastructure is not about providing failsafe solutions. It is about functionality/risk scenarios. If you open up a certain piece of infrastructure to a certain level of access, that level will come with a certain element of risk. You can never completely secure anything — it’s a scale.

In this context, it’s not useful for reports on this area to make motherhood statements about Australia’s cybersecurity situation. What would be much more useful is specific details about how and to what level Australia should be securing each individual piece of infrastructure in our possession.

In addition, what would be even more useful — extremely so — is to document actual examples where there have been “cyber-attacks” (whatever that phrase means). Even if you maintain the anonymity of the various players in such events, recording and publishing them would tell us much about the real nature of the threat, whatever it may be.

Maybe the Kokoda Foundation’s report does contain this information; I guess we’ll find out next month. Until that stage, however, it’s my opinion that the thinktank’s report hasn’t moved the public debate on this issue forward one millimetre.

Image credit: Anja Ranneberg, royalty free


  1. Why now is security being discussed(Someone justifying there jobs eh)? There is no difference(other than speed) between the current implementation of the internet to homes/businesses as opposed to a connection to say fiber optic available via the NBN. It is the responsability of the individual & businesses to secure there data not the goverments problem. It should be the responsability of the end users to educate themselfs about how computers and the internet work.

  2. In addition, what would be even more useful — extremely so — is to document actual examples where there have been “cyber-attacks” (whatever that phrase means). Even if you maintain the anonymity of the various players in such events, recording and publishing them would tell us much about the real nature of the threat, whatever it may be.

    As a web developer I can tell you attacks happen, and are successful, all the time. It’s a particular problem with small business who are price conscious (ie, getting green developers to do the work who are ignorant of the issues) and not aware of the risks involved. Chances are they don’t even know that they are leaking data.

  3. Most places don’t want to admit or will actively cover up “leakages” (a PC term for “IT security breach”).

    For example, a federal government agency automatically classifies a breach as security-in-confidence – which then pretty much ensures it from getting into the public domain.

    However, the commercial sector is probably worse – especially SME – with data repositories quickly and effectively pillaged for credit cards etc. In previous job roles I was often contracted to SME’s which were totally compromised – servers laden with pirated software, irc servers, spam purveyors, pabx/voip jump off points. Typically for years. Generally only picked up when the compromise caused IT service issues or costs (eg large phone or internet bill). One lovely example, I saw a real estate agency unknowningly displaying it’s entire client list for 13 months – include email, address, phone and direct debit bank details.

  4. The NSA are currently operating on the basis that at any point in time sections of their network are compromised.
    If an organisation like the NSA has moved from a threat mitigation model of “we can keep them out” to “they’re in, so let’s do the best we can to contain them”, then any media coverage on cyber attacks is simple scaremongering with probably a fundraiser angle from the infosec sector.

  5. It’s not just the “security experts” (with a product or service to sell) take with a huge grain of salt when reviewing a report like this, but also the self-serving needs of those who hate the freedoms that information technology has been providing us. Regulators and government agencies continue to grapple with the digital age, and rather than promoting technologies to truly enhance our security and privacy, they fall back to draconian laws and regulations. Confine, control, contain.

    There’s no questioning that there are risks which not everyone is aware of nor ready to face, but we mustn’t allow ourselves to be distracted by Fear, Uncertainty and Doubt either. A calm and rational review of infrastructure, risks and remediation possibilities will serve us far better than knee-jerk responses in the form of unnecessary laws or snake oil salespeople.

Comments are closed.